{"id":"MAL-2026-4373","summary":"Malicious code in @budetzz/libsignal-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a)\nThe package is published under the name `@budetzz/libsignal-node`, impersonating the well-known libsignal Signal-protocol library, but the homepage and code are a fork of Baileys (the WhatsApp Web library; `homepage: github.com/whiskeysockets/baileys`). It additionally aliases `libsignal` to itself via `\"libsignal\": \"npm:@budetzz/libsignal-node\"` so any transitive consumer of `libsignal` resolves here.\n\nWhen a consumer constructs a WhatsApp socket via `makeWASocket`, `lib/Socket/newsletter.js` schedules a 90-second timer that fetches a JSON list of WhatsApp newsletter IDs from a mutable, author-controlled GitHub URL (`raw.githubusercontent.com/budetzz/mazzbudetzzzzz/refs/heads/main/saluran.json`) and issues a FOLLOW (`newsletterWMexQuery(id, QueryIds.FOLLOW,...)`) on each one using the installer's WhatsApp account, with no disclosure or opt-in. Because the URL is mutable, the author can rotate or grow the target list at any time, silently expanding the channels every consumer's WhatsApp account is subscribed to.\n\nIn addition, `lib/index.js:37` fetches `raw.githubusercontent.com/z4phdev/client/refs/heads/main/information.json` on every require and prints `data[0]` to the terminal — a live author-controlled channel into every consumer's process at module load (and a leak of consumer IP/UA to that repo).\n\nThis is a silent-relay: normal use of the advertised API hijacks the caller's identity (their WhatsApp account) for the author's benefit (reach/subscribers on attacker-chosen channels), under a deliberately misleading package name.\n","modified":"2026-05-27T00:31:53.194553317Z","published":"2026-05-21T08:19:33Z","withdrawn":"2026-05-26T20:55:39Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.15"],"source":"amazon-inspector","modified_time":"2026-05-21T08:19:33Z","id":"IN-MAL-2026-003780","import_time":"2026-05-26T05:51:17.990951802Z","sha256":"c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@budetzz/libsignal-node/v/2.0.15"}],"affected":[{"package":{"name":"@budetzz/libsignal-node","ecosystem":"npm","purl":"pkg:npm/%40budetzz%2Flibsignal-node"},"versions":["2.0.15"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@budetzz/libsignal-node/MAL-2026-4373.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"lib/Socket/newsletter.js","tlsh":"6f82a55669b9569617a37454aabff5e0b321f203786598263e8c88020f4d2dcf8f3bd4","sha256":"2a219cfaaa3fc42f46014a2d2eecb146155e393e950eeacd04b58b1ba87476f5"},{"path":"lib/index.js","tlsh":"1191bb526ca430b0e1a4f5e6031eae05ba2159dfb1d06f13b1d876e51f8f48124ebf28","sha256":"f921be66a5be20bfb0355120157333351f045fed6103cb200b5af43e095eecc9"},{"path":"package.json","tlsh":"0e61ec25cc5cceb314c636e9a8ba0102607441535d95fc2c336c4bad4f5e2af31b9b2e","sha256":"92d46dbc3b562430fd40a0b65d46e4c27d21e16d5996b37e190b73f8e3251b2d"}],"package_integrity":[{"filename":"libsignal-node-2.0.15.tgz","hashes":{"sha1":"0b454b0460e29272e45660025f294aa49bbf223a","sha512_sri":"sha512-e+HiUBCCgSqPtX+UHf4Q3igYJ1rjaEkdfeXATnk4uAPwuHLWJBXIK4bPtRx/6SIY/PaqhlMYaL8a38tW0xoR1g=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}